On 26/04/14 10:26 AM, Erwann Abalea wrote: > Le samedi 26 avril 2014 15:29:26 UTC+2, Zack Weinberg a écrit : >> On 2014-04-26 4:51 AM, Erwann Abalea wrote: >>> Le vendredi 25 avril 2014 18:14:39 UTC+2, Zack Weinberg a écrit : >>> >>>> Moreover, it is my personal opinion that as a matter of basic business >>>> ethics, this is a cost you (or rather, your insurance) should absorb, >>>> not your customers. >>> >>> Please define "customer". >> >> The people who receive(d) certificates from this CA. Why, do you think >> some other category of people is more appropriately considered a CA's >> customers? > > A customer is someone who *buys* goods/services from a business. Buying > involves money (or anything playing the same role). I have certificates from > Startcom, I didn't pay a single penny for that, therefore I'm not a customer. > All this is a money problem, and nothing is free. > > Running a CA is expensive, costs associated to revocation (procedures, CRL > downloads, OCSP requests) are hidden but far from being negligible. They are > usually covered by the price of the certificate. In Startcom's case, this > isn't true. Maybe the business model needs to be changed?
If the free certificates were not creating revenue by luring people into the paid offerings, I doubt they would be offered. There's no need to feel pity for a working business model. The Mozilla CA policy states that certificates suspected of compromise *must* be revoked and gives the Debian OpenSSL bug as a clear example of a case where they should be revoked. It doesn't say the customer must be given an opportunity to pay for a revocation... it says they *must be revoked* if the CA is made aware. Mozilla is making it very clear to every CA that these policies do not need to be taken seriously. They're free to violate it as much as they want, and Mozilla will likely only take notice if it causes a major media storm.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
